Methods for acouiring an internet user&#39;s consent to be located and for authenticating the identity of the user using location information

ABSTRACT

A method and system for acquiring an Internet user&#39;s consent to be geographically located via at least two independent sources of geographical information while at least one independent source of geographical information is the wireless location of said Internet user&#39;s communication voice device. The method does not require any user intervention other than the user&#39;s interaction with an Internet site via the Internet user&#39;s Internet browser.

RELATED APPLICATIONS

This application claims priority of U.S. provisional application No.61/445,860 filed on Feb. 23, 2011 and U.S. provisional application No.61/318,329 filed on Mar. 28, 2010.

This is a continuation-in-part of pending U.S. patent application Ser.No. 12/357,380, filed Jan. 1, 2009, which is a continuation-in-part ofSer. No. 11/405,789 filed Apr. 18, 2006, which claims the benefit ofprovisional application No. 60/711,346 filed on Aug. 25, 2005. Thecontents of these prior applications are incorporated herein byreference in their entirety.

This is also a continuation-in-part of pending U.S. patent applicationSer. No. 12/260,065 filed Oct. 28, 2008, which is a continuation-in-partof Ser. No. 11/346,240 filed Feb. 3, 2006, claiming priority ofprovisional application No. 60/674,709 filed Apr. 26, 2005, and issuedas U.S. Pat. No. 7,503,489.

This is also a continuation-in-part of pending U.S. patent applicationSer. No. 12/600,808 filed Nov. 18, 2009 as a national stage applicationof PCT/US07/12552 filed May 29, 2007. The present provisionalapplication incorporates herein by reference the entire disclosure ofU.S. patent application Ser. No. 12/600,808.

TECHNICAL FIELD

The invention relates to the geographic location (geolocation) ofInternet users, and to the authentication of the identity of Internetusers in connection with access to computer systems, servers, and websites, and authorization of transactions.

BACKGROUND OF THE INVENTION

The use of the Internet has become a common a popular arena for the saleof goods and services. Such sales require the transmission of personaland confidential data belonging to the buyer of such goods and services.Such information is often the target of identity theft. In response tothe increase in the opportunity for the commission of fraud throughidentity theft, sellers and providers of goods and services through theInternet require a method whereby such fraud can be reduced.

It is preferred to keep the Internet user's experience simple while theInternet user is shopping online or accessing their online bank account.On the other hand, the Internet fraud causes online banks and ecommerceproviders to lose significant amounts of money to fraudulenttransactions. In addition, for privacy reasons, it is preferable toacquire the Internet user's consent before locating the Internet user'swireless geographical location. Therefore, it is preferable to be ableto authenticate the Internet user automatically without userintervention or with very little user intervention.

Present technologies that authenticate the Internet user or acquire theInternet user's consent to be located are using ‘Out Of Band’technologies that require user intervention and involve at least oneaction with a communication voice device. For example, in a methodreferred to as phone authentication, when a transaction is initiatedover the Internet, an automated phone call or text message can be sentto the user's registered phone number. The user is asked to verify thespecific transaction, for example via the following hypothetical text orvoice dialogue:

“This is phone verification calling to verify the transfer of $10,000 toaccount 77356 at Bank Of Canada. Please click ‘1’ to approve or click‘2’ to talk with our representative.”

If the transaction is valid, the user presses “1” or replies to the textmessage to approve the transaction. If the user does not answer the callor respond to the text message with “2”, the transaction is denied orflagged for further review. In addition, the user can report fraudulenttransactions by entering “2” during the call or in the text messagereply. This locks the account and sends an alert to the bank'santi-fraud team.

Internet commerce is not the only activity where methods for userauthentication are desirable. Owners of Internet web sites, web hosts,and other proprietors of Internet-accessible computer systems andservers usually wish to limit access to authorized users.

With respect to Internet usage, upon accessing the Internet, an Internetuser's computer is identified with an IP address, a numeric identifierformatted according to the Internet protocol in use at the time.Whenever an Internet user enters a Internet site, the Internet user's IPaddress is identified to the Internet site owner. In parent applicationsto the present invention, the present inventor has described systems inwhich such an identified IP address can be traceable geographically toits source so as to determine the location (state and city) of theInternet user; in some cases the IP address can be traced to within aradius of a few miles from its source. The comparison of thegeographical location of the Internet user IP address, with thegeographical location of said Internet user communication voice devicecan provide the seller or provider a means to authenticate the identityof the Internet user.

U.S. patent application Pub. No. 2001/0034718 of Shaked et al. disclosesa method of controlling access to a service over a network, includingthe steps of automatically identifying a service user and acquiring userinformation, thereby to control access. Additionally, a method ofproviding service over a network, in which the service requiresidentification of a user, including the steps of automaticallyidentifying the user and associating the user with user information,thus enabling the service, is disclosed.

U.S. Pat. No. 6,466,779 to Moles et al. discloses a security apparatusfor use in a wireless network including base stations communicating withmobile stations for preventing unprovisioned mobile stations fromaccessing an Internet protocol (IP) data network via the wirelessnetwork.

U.S. patent application Pub. No. 2002/0188712 of Caslin et al. disclosesa fraud monitoring system for a communications system. The fraudmonitoring system analyzes records of usage activity in the system andapplies fraud pattern detection algorithms to detect patterns indicativeof fraud. The fraud monitoring system accommodates both transactionrecords resulting from control of a packet-switched network and thosefrom a circuit-switched network gateway.

U.S. patent application Pub. No. 2003/0056096 of Albert et al. disclosesa method to securely authenticate user credentials. The method includesencrypting a user credential with a public key at an access device. Thepublic key is part of a public/private key pair suitable for use withencryption algorithm. The decrypted user credential is then transmittedfrom the decryption server to an authentication server for verification.The decryption server typically forms part of a multi-party serviceaccess environment including a plurality of access providers. Thismethod can be used in legacy protocols, such as Point-to-Point Protocol(PPP), Password Authentication Protocol (PAP), Challenge-HandshakeAuthentication Protocol (CHAP), Remote Authentication Dial in UserServer (RADIUS) protocol, Terminal Access Controller Access ControlSystem (TACAS) protocol, Lightweight. Directory Access Protocol (LDAP),NT Domain authentication protocol, Unix password authenticationprotocol, Hypertext Transfer Protocol (HTTP), Hypertext TransferProtocol over Secure sockets layer (HTTPS), Extended AuthenticationProtocol (EAP), Transport Layer Security (TLS) protocol, Token Ringprotocol, and/or Secure Remote Password protocol (SRP).

U.S. patent application Publication Number US 2003/0101134 of Liu et al.teaches a method for transaction approval, including submitting atransaction approval request from a transaction site to a clearingagency; submitting a user authorization request from the clearing agencyto a user device; receiving a response to the user authorizationrequest; and sending a response to the transaction approval request fromthe clearing agency to the transaction site. Another method fortransaction approval includes: submitting a transaction approval requestfrom a transaction site to a clearing agency; determining whether atrusted transaction is elected; submitting a user authorization requestfrom the clearing agency to a user device if a trusted transaction isdetermined to be elected; receiving a response to the user authorizationrequest from the user device if the user authentication request wassubmitted; and sending a response to the transaction approval requestfrom the clearing agency to the transaction site. A system fortransaction approval includes a clearing agency for the transactionapproval wherein the clearing agency having a function to request foruser authorization, a network operatively coupled to the clearingagency, and a user device adapted to be operatively coupled to thenetwork for trusted transaction approval.

U.S. patent application Publication Number US 2003/0187800 of Moore etal. teaches systems, methods, and program products for determiningbillable usage of a communications system wherein services are providedvia instant communications. In some embodiments, there is provision forauthorizing the fulfillment of service requests based upon informationpertaining to a billable account.

U.S. patent application Publication Number US 2004/0111640 of Baumteaches methods and apparatus for determining, in a reliable manner, aport, physical location, and/or device identifier, such as a MACaddress, associated with a device using an IP address and for using suchinformation, e.g., to support one or more security applications.Supported security applications include restricting access to servicesbased on the location of a device seeking access to a service,determining the location of stolen devices, and authenticating thelocation of the source of a message or other IP signal, e.g., todetermine if a user is contacting a monitoring service from apredetermined location.

U.S. patent application Publication Number US 2005/0159173 of Dowlingteaches methods, apparatus, and business techniques for use in mobilenetwork communication systems. A mobile unit, such as a smart phone, ispreferably equipped with a wireless local area network connection and awireless wide area network connection. The local area network connectionis used to establish a position-dependent, e-commerce network connectionwith a wireless peripheral supplied by a vendor. The mobile unit is thentemporarily augmented with the added peripheral services supplied by thenegotiated wireless peripheral. Systems and methods allow the mobileunit to communicate securely with a remote server, even when thenegotiated wireless peripheral is not fully trusted. Also included aremobile units, wireless user peripherals, and negotiated wirelessperipherals projecting a non-area constrained user interface image on adisplay surface.

U.S. patent application Publication Number US 2005/0160280 of Caslin etal. teaches providing fraud detection in support of data communicationservices. A usage pattern associated with a particular account forremote access to a data network is monitored. The usage pattern iscompared with a reference pattern specified for the account. A fraudalert is selectively generated based on the comparison.

U.S. patent application Publication Number US 2005/0180395 of Moore etal. teaches an approach for supporting a plurality of communicationmodes through universal identification. A core identifier is generatedfor uniquely identifying a user among a plurality of users within thecommunication system. One or more specific identifiers are derived basedupon the core identifier. The specific identifiers serve as addressinginformation to the respective communication modes. The specificidentifiers and the core identifier are designated as a suite ofidentifiers allocated to the user.

While these systems may be suitable for the particular purpose employed,or for general use, there remains a need for methods of useridentification and authentication on computer networks.

SUMMARY OF THE INVENTION

It is an object of the invention to acquire the Internet user's consentover the Internet to be geographically located via at least two separateand independent sources of information while at least one independentsource of information is the wireless location of the Internet user'scommunication voice device. The invention will verify the Internetuser's identity from at least two independent sources of informationrelated to the Internet user while at least one of the independentsources is the user's communication voice device wireless location andthe user's interaction is only with the Internet site.

It is another object of the invention to acquire, via one single userclick using the Internet user's browser, the Internet user's consent tobe geographically located, and to be authenticated via at least twoseparate and independent sources of information while at least oneindependent source of information is the Internet user's communicationvoice device wireless geographical location.

It is an object of the invention to acquire the Internet user's consent,over the Internet user's browser, to be geographically located via atleast two separate and independent sources of information while at leastone independent source of information is the wireless location of theInternet user's communication voice device. The proposed invention willverify the Internet user's identity from at least two independentsources of information related to the Internet user where at least onesource of independent information is the user's communication voicedevice wireless location and where the user's interaction is only withthe browser and one communication voice device.

It is another object of the invention to acquire a communication voicedevice user's single consent, via a single interaction with thecommunication voice device (a button press or mouse click), to begeographically located via at least two sources of geographicalinformation where at least one source of information is the wirelesslocation of said communication voice device user. Accordingly, thismethod receives the consent of a communication voice device user or theInternet user, which is the same user to be geographically located andfor authenticating the identity of the Internet user.

It is another object of the invention to produce a means to decrease theInternet user's intervention with the communication voice device whileauthenticating the Internet user and to identify said Internet user fromat least two independent sources of information.

A further objective of this invention is to acquire an Internet user'sconsent, via one communication voice device, to be geographicallylocated via wireless technology using a second communication voicedevice without any user interaction with the second communication voicedevice. The first and second communication voice device can be the samecommunication voice device or two separate communication voice devices.In addition, the first and second sources of information can be of thesame communication voice device or two separate communication voicedevices.

It is another object of the invention to provide a means for providingan accurate geographical location of the Internet user and the Internetuser's IP address. Accordingly, this method includes identifying the IPaddress and tracing it geographically using any one of the existingsoftware programs that can trace IP addresses.

It is another object of the invention to provide a convenient means fordetermining the location of Internet users at both mobile and non-mobilecommunication voice devices and terminals. Accordingly, this methodincludes the utilization systems and software that are used to locatethe geographical location of people or communication voice devices, suchas, but not limited to Global Positioning Systems (GPS), Galileo, WiMAX,WiFi, RFID and external positioning apparatus, such as, but not limitedto, cellular base stations and antennas.

It is another object of the invention to provide a convenient means fordetermining a more accurate geographical location of routers using theInternet user communication voice device's geographical location and thesaid user IP address.

It is an object and feature of the present invention to provide amonitoring system in place to constantly monitor the existing sessionsor connections and flag the connections or sessions automatically afterthe authentication. It is another object and feature of the presentinvention to include a cross check of the prospective user's mobilevoice device number and location to assist in discriminating betweenauthorized and unauthorized users.

The invention includes a method and system for obtaining the consent ofan Internet user and communication voice device user or purchaser(hereinafter “Internet user”) to be geo-located and then to authenticatethe user through cross-referencing and comparison of at least twoindependent sources of information, such as, but not limited to, the IPaddress of the Internet user's computer, geographical location of theInternet user, router geographical location or the geographical locationof number of a communication voice device associated with said Internetuser.

This invention also includes a method and system for authenticating anInternet user identity by cross-referencing and comparing at least twoindependent sources of information. A first IP address of an Internetuser is identified. The geographical location of the IP address istraced geographically to determine a first location. The geographicaladdress of a communications device of said Internet user is traced todetermine a second location. The first and second locations are comparedfor geographical proximity to confirm the identity of the Internet user.Additionally, depending on the geographical proximity of the first andsecond location, a positive or negative score may be assigned to theInternet user, and access to the Internet site and the ability toconduct transactions may be allowed or limited based on the assignedscore. Alternatively, additional authentication information may berequired of the Internet user in order to proceed with the onlinetransaction, or access by the Internet user may be terminated.

This invention is a method and system for getting the communicationvoice device user's consent to be geographically located using wirelesstechnology with little or no intervention via the mobile phone.

The Internet user can be identified over the Internet by identifyingprivate information known to the Internet user only. Example: creditcard information, bank account information, username and password andother private information such as past loans, apartments addresses theInternet user used to live in, past merchandise purchased by theInternet user etc. Online verification of the Internet user's identitymay be accomplished by correlating the billing information of the creditcard or bank account and the communication voice device owner'sinformation. If the information above matches, it is known that the userthat is visiting the business Internet site is also the owner of thecommunication voice device and, therefore, the user has provided hisconsent online. At this point we can use that consent to locate the usercommunication voice device wireless geographical location.

Using the computerized method of the present invention it will bepossible to determine which connection is authorized; block unauthorizedaccess, sessions, and connections in real time; report breaches to thesecurity administrator about unauthorized access in real time or nearreal time; identify files that were uploaded into the server viaunauthorized sessions and connections, and possibly remove these filesautomatically; block IP addresses that try to get unauthorized accessinto the server; and to identify the attack pattern and learn how toblock future attacks using the identified patterns. The computerizedmethod of the present invention will make it possible to identify filesthat open unauthorized connections from the server into another remotecomputer, such as viruses and Trojans; identify potential securityvulnerability that may allow a hacker to get unauthorized access intothe server, and to automatically identify security holes that allowInternet fraudsters and hackers access into the server.

To the accomplishment of the above and related objects, the inventionmay be embodied in the forms illustrated in the accompanying drawings.It should be appreciated that the drawings are intended to be examples,and are illustrative only. Variations of the illustrated examples arecontemplated as being part of the invention, which is limited only bythe scope of the claims.

BRIEF DESCRIPTION OF THE DRAWINGS

In the drawings, like elements are depicted by like reference numerals.The drawings are briefly described as follows:

FIG. 1 is a flow chart illustrating the exemplary method and system foracquiring an Internet user's consent to be located and authenticatingsaid Internet user identity using the Internet user locationinformation, according to an embodiment of the present invention;

FIG. 2 is a flow chart illustrating a second exemplary method and systemfor acquiring an Internet user's consent to be located andauthenticating said Internet user identity using the Internet userlocation information, according to an embodiment of the presentinvention;

FIG. 3 is a flow chart illustrating a third exemplary method and systemfor acquiring an Internet user's consent to be located andauthenticating said Internet user identity using the Internet userlocation information, according to an embodiment of the presentinvention; and

FIG. 4 is a flow chart illustrating a fourth exemplary method and systemfor acquiring an Internet user's consent to be located andauthenticating said Internet user identity using the Internet userlocation information, according to an embodiment of the presentinvention.

FIG. 5 is a flow chart illustrating a fifth exemplary method and systemfor authenticating an Internet user by validating the identity of theuser via geolocation of the user's home or mobile communication deviceand IP address.

DETAILED DESCRIPTION OF THE INVENTION

The term “session” or “connection”, as used in the context of thepresent invention, applies to any communication between two computers,such as, without limitation, the connection, communication, or sessionthat is between client and server in an internal network; theconnection, session or communication open between an Internet computerand an Internet server; and the session open by Internet computer to aweb site using a browser program, where the web site can be an onlinebank or an ecommerce site. The term “session” in the present inventionis equal to “communication”. “Sessions” and “communications” are alsothe same.

The term “server”, as used in the context of the present invention,applies to any device that uses this method, such as, withoutlimitation, any device with an operating system having computing andcommunication capabilities, such as Windows™, Unix™ and Linux™;installed on any firewall; workstation, laptop, PDA or mobile phone. Themethod can be implemented on the server to monitor the server's internalactivity and can also be implemented on an external device to monitor atleast one other different device.

It should be understood that the term “mobile voice phone”, as used inthe context of the present invention, applies to any mobile devicemodified or designed for voice or text communication, such as a mobilephone, capable of communicating with another device via wirelessnetworks and associated telecommunication protocols, such as, but notlimited to, cellular systems, radio systems, WiFi, WiMAXT™, RFID,Bluetooth™, MIMO, UWB, satellite systems, or any other such wirelessnetwork known now or in the future. Other non-limiting examples includeany device that has been modified or designed to communicate with aweb-ready PDA, a Blackberry™, or a tablet or laptop computer withcellular connect capabilities.

It should be understood that the term “communication voice device”, asused in the context of the present invention, applies to any voicedevice capable of communicating with another voice device such as, butnot limited to, phone, mobile voice device, laptop computer, desktopcomputer, server, VoIP phone or personal digital assistant (hereinafterPDA). Other non-limiting examples include any device that has beenmodified or designed for voice or text communication.

It should be understood that the term “mobile voice device”, as used inthe context of the present invention, applies to any mobile devicemodified or designed for voice or text communication and capable ofcommunicating with another device via wireless network such as but notlimited to cellular system, radio system, WiFi, WiMAXT™, RFID,Bluetooth™, MIMO, UWB (Ultra Wide Band), satellite system or any othersuch wireless networks known now or in the future. Other non-limitingexamples include any device that has been modified or designed tocommunicate with a Internet-ready PDA, a Blackberry, a laptop computerwith cellular connect capability, or a notification server, such asemail server.

It should be understood that IP Address means an Internet protocoladdress according to the specifications of any Internet communicationprotocol, including but not limited to IPV4 and IPV6. “Foreign IPaddress” refers to an IP address that is assigned to a device not on thelocal or proprietary network.

It should be understood that where the present description, figures, andclaims make reference to the process of “correlating” a location with anIP address, the process comprises comparing the specified location(e.g., the location of a device, home, or office) with a geographicallocation associated with the specified IP address, and estimating ordetermining the physical proximity of the two locations.

This invention relates to a method and system for acquiring an Internetuser's consent over the Internet to be geographically located via atleast two independent sources of wireless information while at least oneindependent source of wireless information is the Internet user'scommunication voice device. The proposed method does not require anyuser intervention outside the user's interaction at the Internet site orwith the Internet user's browser.

FIG. 1 is a flow chart illustrating a first exemplary method and system100 for acquiring an Internet user's consent to be located andauthenticating said Internet user identity using the Internet userlocation information, according to an embodiment of the presentinvention. The method starts at step 101. At step 102, the Internet sitereceives data indicating access by an Internet user who is accessing theInternet shopping site (such as www.onlineshoppingsite.com). At step103, the Internet site receives data indicating that the user hasselected a product that the user would like to buy and the user choosesto complete the transaction (“checkout”). At step 104, the Internet siteprompts the Internet user for their information (such as their creditcard, shipping/billing address and mobile phone number, if it's not onfile). At step 105, the Internet site receives the required informationsuch as the billing address, shipping address, credit card informationshipping method, etc., that the Internet user has entered. At step 106,the Internet site presents an unchecked checkbox with a prompt such as,“free expedited shipping” and offers to use the Internet user's currentmobile phone location to assist in cross-referencing the user's creditcard information. The Internet shopping site may present “terms andconditions” describing in detail the implications of checking the box asgiving fully informed consent to have geo-location run on the user'scell phone. The preferred action will be for the consumer to “accept”those “terms and conditions.” At step 107, the Internet site verifiesthe consumer's identity via industry external databases (e.g.,Experian™, Targus™, etc.) That verification seeks to confirm that themobile phone owner's information and the credit card/bank accountowner's information match such as billing information and name.Alternatively, and a better verification practice than utilizing a thirdparty database provider, is utilizing mobile phone companies' internaldatabases of billing information. Mobile phone companies already possessthe billing information. Unlike third party database providers, mobilephone companies' internal databases add an additional and essentialassurance of identity because the billing information already verifiedby the mobile phone companies during the mobile phone purchase at themobile phone carrier store using an ID such as driver license, and thesubscriber paying their bill sent to that billing address. At step 108,the site may check if (a) the Internet user's identity at step 107matches the external or internal database, and (b) if the Internet usermarked the unchecked box at step 106. If the Internet user checked thecheckbox in step 106, and the Internet user's information in step 107matches the database information, then the Internet site can request theInternet user's phone location 109 and begin authenticating thetransaction using the Internet user's location details (mobile phonenumber/location, computer location such as WiFi. home address or Geo IP,etc.). If the above conditions are not met, the Internet site will useother authentication methods 110.

FIG. 2 is a flow chart illustrating a second exemplary method and system200 for acquiring an Internet user's consent to be located andauthenticating said Internet user identity using the Internet userlocation information, according to an embodiment of the presentinvention. The method starts at step 101 and steps 101 through 105 arethe same as for embodiment 100 in FIG. 1. At step 206, the Internet sitemay present a checked checkbox with a prompt such as, “free expeditedshipping—onlineshoppingsite.com will use your current mobile telephonelocation to protect your credit card information”, and will use theInternet user's current mobile phone location to assist incross-referencing their credit card information. At step 107, the siteverifies the Internet user's identity via industry databases (Experian,Targus, 192, etc.) just as in step 107 of embodiment 100 of FIG. 1. Thatverification seeks to confirm that the mobile phone owner's informationand the credit card/bank account owner's information match. At step 208,the site may check if (a) the Internet user's identity at step 107matches with the external or internal database and (b) if the Internetuser did not uncheck the box at step 206. If the Internet user did notunchecked the checked checkbox in step 206, and the Internet user'sinformation in step 107 matches, then the Internet site can request theInternet user's phone location 109 and begin authenticating thetransaction using the Internet user's location details (mobile phonenumber/location, computer location such as WiFi, home address or Geo IP,etc.). If the above conditions are not met, the site will use otherauthentication methods 110.

FIG. 3 is a flow chart illustrating the exemplary method and system 300for acquiring an Internet user's consent to be located andauthenticating said Internet user identity using the Internet userlocation information, according to an embodiment of the presentinvention. The method starts at step 101 and steps 101 through 105 and107 are the same as for embodiment 100 in FIG. 1 and embodiment 200 inFIG. 2. At step 306, the Internet site will ask the Internet user torelease their location or share their location via their Internetbrowser. Because standards such as HTML5 are implemented as part ofmodern Internet browsers like Firefox™ and Internet Explorer™, it ispossible to share the Internet user's wireless location with theInternet sites. For privacy reasons, the Internet user is required toselect a “share location” option. Once the Internet user clicks “sharelocation”, the Internet site can get the Internet user's wirelesslocation. It is at this moment that the Internet user has provided theirconsent to release their geographical location, and the site can acquirethe Internet user's geographical location and/or the location of saiduser's computer.

However, that Internet site is not enabled to know if the Internet useris authorized to consent to the release of the location of thecommunication voice device. For example, a minor may be the Internetuser and have the communication voice device. At step 308, the Internetsite may check if the Internet user's identity at step 107 matches withthe external or internal database. If the information matches such asuser/password, billing information, credit card, token number or othersecret or private information that the Internet user knows, like privateinformation of the communication voice device owner. Therefore, when theInternet user has provided his/her consent to be located via the browserin step 306, that consent can also be utilized when locating 109 thatInternet user via their communication voice device. Should (a) theinformation not match external or internal databases at Step 107 or (b)when the Internet user did not release his consent at step 306, step 110is executed and authentication of the transaction can be processed usinga different authentication method.

FIG. 4 is a flow chart illustrating the exemplary method and system foracquiring an Internet user's consent to be located and authenticatingsaid Internet user identity using the Internet user locationinformation, according to an embodiment of the present invention. Themethod starts at step 101 and steps 101 through 105 are the same as forembodiment 100, 200, and 300 in FIG. 1, FIG. 2, and FIG. 3,respectively. At step 306, the Internet site will ask the Internet userto release his/her location or share his/her location via the Internetuser's Internet browser. At step 408, the site may determine if theInternet user has released his/her computer location. If the Internetuser has released his/her location information, the Internet site willlocate the Internet user's communication voice device as well 109. Ifthe Internet user has not released their information, the Internet sitewill authenticate the transaction using a different method 110.

Another example employs two separate devices with two separate sourcesof wireless locations, such as a laptop computer and a communicationvoice device such as a mobile phone. One source of information is thewireless location of the laptop's WiFi, provided by the browser, and thesecond source of wireless location is the mobile phone's locationaccording to GPS, Cell site or antenna triangulation. Additionally,there could be one device with two separate sources of wirelesslocation, such as a smart phone such as a PDA or iPhone™. Here, it is asingle device with the source of information being the WiFi locationprovided by the browser and the second and separate source of wirelesslocation being the cellular carrier tower triangulation or GPS locationprovided by the mobile phone carrier.

Many online users with online accounts, such as bank accounts, onlinegaming and gambling accounts, and e-commerce accounts, and other onlineusers who have Internet accounts protected by a username and password,have provided the institutions and corporations who manage thoseaccounts with contact information that includes a mobile phone number.For these individuals, it is possible to get their consent to be locatedvia their mobile phone by verifying how long their mobile phone has beenon record as being associated with that account. If for example, if themobile phone number has been recorded on a bank's databases and onlinerecords for longer than a predetermined time, it is virtually certainthat the number does in fact correspond to the user's cell phone, makingit unnecessary to verify the association. It is then possible to requestthe user's consent to be located, without any interaction with themobile phone during the request and consent processes. Requesting theuser's authorization can be done during a user's Internet session, viae-mail, or by otherwise contacting the user and receiving consent. Ifthe mobile phone has been recorded in the bank's databases for less thanthe predetermined time, then the online bank can verify the mobile phoneownership by using the user's mailing address and mobile phone ownershipinformation, as already mentioned.

Adding geographical locations to the Internet user's information, suchas the Internet user's mobile voice device number, mobile voice devicelocation, home address, client locations, etc., will allow verificationthat the session or connection of the Internet user is authorized. Thesession or connection IP address origin is matched with the geographicallocation of the mobile voice device or other geographical location ofthe user such as the user's home address.

FIG. 5 is a flow chart illustrating one example of a method and systemfor authenticating an Internet user by validating the identity of theuser via geolocation of the user's mobile voice device, IP address orWiFi location. In order to check the current communications the serverhas, at step 501 the system will monitor the open connections to theserver by using a command like “netstat-aon”. The command will retrieveinformation like “Local address” “Foreign address”, port, state PID(Process ID) file name etc. Using this information at step 502 thesystem will be able to determine the open ports and IP address of eachopen session. Using information from the open session such as IPaddress, file name etc. it is possible to determine at step 503 who theuser is, by matching the IP address against the server's logon logs. Theserver writes to a log each time a user logs on to the server and theuser's IP address, so that it is possible from each log entry to knowthe username, the time of the user's logon, and whether connection wasallowed or denied. It is also possible to build an internal databasewhich will correlate information from the internal server to userinformation like file name, IP address, username etc.

At step 504 the system will correlate between the username and theuser's mobile phone number and check if the user gave his consent ornot, if the phone number requires user consent, or if it's a companyphone number that does not require user consent. If the phone number isnot a company phone number and requires consent then the system willstart initiating a consent using one of the methods mentioned above or adifferent method acceptable by the company employing this method. Atstep 505 the system locates the user's mobile voice device. It is alsopossible to install software at the user's mobile voice device, such asa mobile laptop, and that software can transfer using an agent or thecomputer's browser the laptop location. In addition the system maylocate a second independent source of information, such as anotherindependent mobile voice device, to provide additional locationinformation from the independent source. The system can correlate twosources of location information such as Geo IP and mobile voice device,or two independent sources of mobile voice device from two sources. Forexample, one source can be the WiFi location and the other source can bethe carrier information.

At step 506 the system will check if the locations of two sources ofinformation are proximate, within a predetermined degree of separation.(In the example shown in FIG. 5, they are the mobile phone location andthe geographic location of the foreign IP address.) If they are, at step507 the system will authorize the connection. If it's not, at step 508the system will raise a red flag or alternatively disconnect thesession.

One way of doing this is by programming a computer to implement thefollowing steps (see FIG. 5):

1. Use a command such as netstat to identify one or more open sessionsinto the server, and the foreign IP address of each identified opensession.

2. Match the foreign IP address to the server domain or the serversecurity log in order to identify which user name is using this foreignIP address.

3. Once the user name is known, locate the mobile phone number or theaddress that allows access into the server.

4. Determine the user's mobile phone location or the user's homelocation.

5. Match the mobile phone location or home location of that user withthe open session foreign IP address, then

-   -   (a) If the match is positive, identify the user as an authorized        user, or    -   (b) If the match is negative, identify the user as an        unauthorized user.

There are alternative ways of implementing this method. Suitableembodiments include, without limitation:

Employing a programmed external device which will have access to localor remote username and password databases like the domain server. Inaddition to the username and password database, the programmed externaldevice will have access to local or remote database of mobile phonenumbers associated with the username and password database. Additionaldatabases having geographical locations like clients' locations, homeetc. can be associated in the user level or the group level. Forexample, one may allow user access from the user's home address and/orzip code area (e.g., 375 South End Ave., New York N.Y. 10280) and have amobile phone associated with that user. When that user tries to accessthe system, the programmed external device will determine if the requestarrives from the correct corresponding home address location (or zipcode) and, if not, the system will determine if the request arrived froman IP address and then determine if the user's mobile phone is proximateto (i.e., near or at) the location of that IP address.

The allowable degree of separation between the two locations, beyondwhich a connection is denied or a session is terminated, is at thediscretion of the practitioner, and may be specified any manner that canbe implemented on the system (e.g., “no more than x miles”, “same oradjacent zip code”, “same city”, etc.) Group access can be implementedvia a client address and/or zip code, i.e., any request from a givenaddress and/or zip code can be allowed. This may be advantageous whereauthorized users are located within a proprietary building or securepremises.

Additional functions of the programmed external device can be checkingthat the mobile phone is near or at the allowed address, and/ordetermining that the mobile phone is near or at the allowed addresswhile the IP address is allowed. The functionality of the programmedexternal device may be implemented on the server being protected.

There may be various methods for determining distances between the homeaddress, mobile phone location, and IP location. Examples include,without limitation, the following:

1. In case the distance between the home address and the user's(foreign) IP address is more than a predetermined value, and thedistance between the user's IP address and the mobile phone location isless than a predetermined value, then allow the connection. Optionally,one may add the foreign IP address to a “white list” of preauthorizedusers.

2. In case the distance between the home address and the user's(foreign) IP address is less than a predetermined value, and thedistance between the user's IP address and the mobile phone location isless than a predetermined value, then allow the connection.

3. In case the distance between the home address and the user's(foreign) IP address is more than a predetermined value, and thedistance between the user's IP address and the mobile phone location ismore than a predetermined value, then do not allow the connection, stopthe connection, or report the breach. Optionally, one may add theforeign IP address to a “black list” of blocked prospective users.

4. In case the distance between the user's (foreign) IP address and themobile phone location is more than a predetermined value, then do notallow the connection, stop the connection, and/or report the breach.Optionally, one may add the foreign IP address to a “black list” ofblocked prospective users.

Preferably, both a white list and a black list of foreign IP addressesis generated automatically by the system, enabling a determination thatthe user's mobile phone is near a white list IP address at the time ofthe transaction. In an alternate embodiment, the white list and blacklist may be created and entered by a system administrator. In anotheralternate embodiment, the automatically generated black list or whitelist may be edited by the system administrator to add or delete foreignIP addresses.

Using the “Process ID” it is possible to know which file opens a sessionor a connection to a remote computer. Since the foreign IP Address isknown, the system can determine if the connection is authorized or notauthorized. For example, if the foreign IP address is located in Texaswhile no authorized user is there, access is unauthorized. The presentmethod will be able to flag the connection, inform the systemadministrator, and allow him to block the connection or allow theconnection. In addition, since it's possible to know which file openedthe new session or connection, than the method of the present inventioncan remove the breach-initiating file if it is found to be securityhole, Trojan, or Virus. Other options are also possible, such asblocking the outside connection to that IP address, and automatically“black listing” the foreign IP address since that foreign IP address isnot near an authorized user's mobile phone device.

Since the system of the present invention can to get the completecommunication between the server and the client using tools likesniffers, logs, DLL, etc., and since the system can determine if theconnection between the client and the server is authorized based on theforeign IP address and the mobile voice device location, the system candetermine which commands the hacker or fraudster sent to the server thatgave him unauthorized access into the server. Once the system hasdetermined what commands gave the hacker or fraudster access into theserver, the system can block these commands the next time any fraudsteror hacker tries to use them. The system blocks these commands byproviding a filter on the open service like IIS or in the firewall toautomatically block these commands and possibly add the IP address thatsent that commands to a “black list”.

Each request to connect to the server will pass via the programmedexternal device or the programmed external device will have the optionto monitor existing connections and sessions to the server. In analternate embodiment, the programmed external device may perform bothfunctions.

In certain embodiments of the invention, additional functionality may beincorporated into the system, including but not limited to thefollowing:

1. Optionally, one may recognize a local subnet and allow connectionsinto the server without checking the mobile phone location at all orduring specific hours. For example, if the connection to the server isinitiated from a foreign IP address that is located in a safe area thendo not check where the mobile location of that user is, or only checkthe mobile phone location if the connection is during specific hours.Also, one may check the connection into a specific server only if theconnection is open and active for more than a predetermined amount oftime. For example, when a connection is open from another station formore than 2 hours, then determine if the connection is authorized. Onemay also determine if the mobile phone is near the foreign IP addressonly if the connection is made after a specific time of day (e.g., afternormal business hours).

2. Optionally, one may check the mobile phone location whenever the useris accessing or requesting specific data that is sensitive, for exampleif a user is requesting the server to present credit card information,or the credit card information of more than a predetermined number ofusers.

3. Optionally, if there is a match between the “foreign IP address” andthe user IP address as it appears on the security log or domain server,one may elect not to request the mobile phone location of that user.

4. Optionally, one may automatically white list the IP addresses orcomputer signatures of users who have previously accessed the server andhave already had the system check their mobile phone location onprevious occasions. The 2nd or 3rd time that the user accesses theserver, it will not be necessary to check his mobile phone location.

5. Optionally, since the system will determine which connections areauthorized and which are not authorized, the system can also:

-   -   a. Mark unauthorized connections;    -   b. Inform the administrator of unauthorized connections;    -   c. Show the commands that gave the unauthorized user access into        the server;    -   d. Block future access into the server using the command        patterns that gave the unauthorized user access into the server,        so that future access will be blocked automatically when the        hacker tries to use the same or similar command pattern;    -   e. Automatically block the IP addresses of users who try to gain        unauthorized access into the server;    -   f. Automatically block the computer signatures of users who try        to gain unauthorized access into the server;    -   g. Automatically remove files uploaded to the server by        unauthorized users; and/or    -   h. Automatically disconnect unauthorized connections.

6. Since the system can determine which port an unauthorized user triedto access, the system can allow the system administrator to check onlyaccessed connections and sessions to specific ports.

7. The system will enable the system administrator to build sets ofrules to automatically verify if a particular Internet connection isauthorized or not authorized.

Systems implementing the methods of the invention can be installed on aserver, workstation, laptop, mobile phone, or function as an additionalprogrammed external device between the clients and the server.

In the case that Client A is connected to Client B via messenger, hassent emails, is transferring a file between two computers etc., thesystem can verify that communication into the server is coming from acomputer that is physically near the owner or the user of that computer,or that the user is at the location that the communication is comingfrom.

By using the methods of the invention, a server can be open to theInternet, and allow authorized users use the server, while providing theserver administrator with additional layers of supervision that enablehim to stop attacks, from the Internet or locally, as the attack startsor in near time.

A system employing the methods of the invention can work in two mainmodes, and combinations of the two are possible:

1. Monitoring—the system scans the open sessions and connections andensures that the connections and sessions open to the server arrive fromlocations that are near the Internet users' mobile phones.

2. Authentication—in authentication mode, the system ensures thatrequests to open a session or connection to the server arrive to theserver from locations that are near the Internet users' mobile phones.

The difference between monitoring and authentication is that inauthentication mode, a system implementing the present invention willnot allow access to the server if the request originated from a locationwhere the user's mobile phone is not nearby. Monitoring scans existingconnections and sessions to the server after the authenticationprocesses have been passed. In addition, in the monitoring mode, asystem implementing the present invention can raise a red flag and/ordisconnect an existing connection and the unauthorizedconnection/session will not be allowed to enter.

In conclusion, herein is presented a method for acquiring an Internetuser's consent over the Internet to be geographically located via atleast two separate and independent sources of information, wherein atleast one independent source of information is the location of saidInternet user's wireless communication voice device. The invention isillustrated by examples in the illustrative drawings and in the writtendescription. It should be understood that while adhering to the spiritof the inventive concept, numerous variations exist for the practice ofthe invention described herein, and that such variations arecontemplated as being a part of the present invention.

1. A method for acquiring an Internet user's consent over the Internetto be geographically located via at least two separate and independentsources of geographical information wherein at least one independentsource of geographical information is the wireless location of saidInternet user's communication voice device.
 2. The method of claim 1,wherein the communication voice device is a mobile telephone.
 3. Themethod of claim 1, wherein the communication voice device is a mobilecomputer.
 4. A method for acquiring an Internet user's consent, via onecommunication voice device, to be geographically located via wirelesstechnology using a second communication voice device without any userinteraction with the second communication voice device.
 5. The method ofclaim 4, wherein the first and second communication voice device are twoseparate communication voice devices.
 6. The method of claim 4, whereinat least one communication voice device is a mobile telephone.
 7. Themethod of claim 4, wherein at least one communication voice device is amobile computer.